How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

Xentrk · May 4, 2017

Jack Yaz said:
Ok I'll do that. Only got my Asus a week ago and don't want to wear the flash too quickly!

That is now urban legend from what I understand.

You should be fine.

Jack Yaz · May 4, 2017

Ah OK, I read it here: https://github.com/RMerl/asuswrt-merlin/wiki/JFFS

Xentrk · May 4, 2017

Jack Yaz said:

ANother stupid question, on the wiki, it mentions:

Code:

# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done

Is it a good idea to use this as a matter of course, in case I change anything in the UI?

Correct. In a prior discussion this week, Merlin stated that changes to the Administration-System page will cause this behavior.

Xentrk · May 4, 2017

Jack Yaz said:
Ah OK, I read it here: https://github.com/RMerl/asuswrt-merlin/wiki/JFFS

Ah yes. I think the caveat is high volume activity files. Best to put those on USB drives.
I recommend reading thru the wiki if you are new to ASUS Merlin. This page will help you understand the scripts and their purpose. https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Jack Yaz · May 4, 2017

Yes been reading plenty and got a few scripts going. Didn't know if writing out to the Blacklist would constitute high volume activity. I have a 500gb USB HDD plugged in, may reformat it to ext4 using this guide: http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers, with an additional 3rd partition of 2GB to store script outputs.

Xentrk · May 4, 2017

Jack Yaz said:
Yes been reading plenty and got a few scripts going. Didn't know if writing out to the Blacklist would constitute high volume activity. I have a 500gb USB HDD plugged in, may reformat it to ext4 using this guide: http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers, with an additional 3rd partition of 2GB to store script outputs.

I would get a smaller usb drive and use it for this purpose and plug it into the USB2 port. Keep the other one for client backups or as a poor man NAS solution.

I have a two GB USB drive in my USB2 port with two partitions (one for ab-solution and the other for entware) with ext2 format and a 1TB NTFS in on the USB3 port. I turned off the router and removed the existing 2GB USB Drive (after I uninstalled ab-solution)which I recommend highly BTW.

I used a free software called Mini Parition Tool on my win 10 laptop. I first reformatted the entire USB as NTFS with the label name of my router e.g. RT-AC88U-1234. There is an option to split the partitions in half. So now I have two partitions of 1 GB each formatted as NTFS. I then took one of them and split that one it in half. I now have 3 partitions as NTFS. With the tool, you can now reformat and label each partition. I left the partition labeled as my router name alone as I am using that for the IPSET_Block.sh script. entware and absolution don't require that much space. 500mb each is plenty. So, I took one of the second NTFS partitions I had split in half, right clicked and choose format. I labeled it as absolution with ext2 format. I repeated the same for the other and labeled it entware. I then applied the changes. I have done formatting and labeling using both the Linux command line and tools. But the gui interface of the Mini Tool Partition wizard is so much easier. I had to reinstall ab-solution and entware when done and other packages. I then plugged the drive into the USB 2 port, turned on the router. I have SSH enabled. So I logon, and navigate to /tmp/mnt. I do a ls command and see the three partitions I created as directories: entware, absolution and RT-AC88U-1234.
Hope this helps!

swetoast · May 4, 2017

Jack Yaz said:

ANother stupid question, on the wiki, it mentions:

Code:

# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done

Is it a good idea to use this as a matter of course, in case I change anything in the UI?

that last script has nothing to do with this list

thats for a totally other script

amplatfus · May 4, 2017

Hi,
Let me share my case. I have successful blocks and banned some IP, but hacker ports report is empty.
Please help me to understand why hacker ports report is emty or how to test that is working.

Code:

root@router:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 28277 v3.05  2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
        Summary Blacklist: 40627 Successful blocks! ( 125 IPs currently banned - 652 added since: May 4 11:06 ), Entries auto-expire after 168:00:00 hrs
(HackerPorts.sh): 28352 v2.02 Hacker Port attacks Report starting.....
Thu May 4 22:16:02 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  4 19:43:04 - May  4 22:16:02
        Top 3 Ports attacked:
        Top 3 attackers:
        Last 3 most recent attackers:

Thank you for your help. [emoji4]

Sent from my ONE A2003 using Tapatalk

Martineau · May 4, 2017

amplatfus said:

...successful blocks and banned some IP, but hacker ports report is empty.

Code:

root@router:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 28277 v3.05  2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
        Summary Blacklist: 40627 Successful blocks! ( 125 IPs currently banned - 652 added since: May 4 11:06 ), Entries auto-expire after 168:00:00 hrs
(HackerPorts.sh): 28352 v2.02 Hacker Port attacks Report starting.....
Thu May 4 22:16:02 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  4 19:43:04 - May  4 22:16:02
        Top 3 Ports attacked:
        Top 3 attackers:
        Last 3 most recent attackers:

Thank you for your help.

I don't think any deserve any thanks given my rubbish script!

Could you please try these diagnostic commands and post the output

Code:

iptables -V

iptables -S logdrop

iptables --line -nvL logdrop

iptables -S Blacklist

iptables --line -nvL Blacklist

iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options

iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence

iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block "

iptables -S Blacklist

iptables --line -nvL Blacklist

grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l

grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l

Then try to run a combined report

Code:

./IPSET_Block.sh

Xentrk · May 5, 2017

Martineau said:
I don't think any deserve any thanks given my rubbish script!

You deserve a lot of thanks. In fact, I would send you a PayPal donation if you let me know how. I really appreciate the script and the support you provide on the forum.

octopus · May 5, 2017

Martineau said:
I don't think any deserve any thanks given my rubbish script!

We all love your script and effort to help people.

swetoast · May 5, 2017

Martineau said:
I don't think any deserve any thanks given my rubbish script!

try and try again, welcome to the wonderful world of maintaining.

amplatfus · May 5, 2017

I can say that you deserve at least thanks and even more for all your time and passion invested.
Please find below my output and please share your thoughts.

Many thanks!

Code:

ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017
root@rooter:/tmp/home/root# iptables -V
iptables v1.4.14
root@rooter:/tmp/home/root# iptables -S Blacklist
-N Blacklist
-A Blacklist -m state --state NEW -j SET --add-set Blacklist src
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block "
root@rooter:/tmp/home/root# iptables --line -nvL Blacklist
Chain Blacklist (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1    12215 5948K SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2    12215 5948K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "
3       39 20165 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "
4       39 20165 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 1 level 4 prefix "Block "
5       38 19589 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 0 level 4 prefix "Block "
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block "root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l
0
root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l
0
root@rooter:/tmp/home/root# cd /jffs/scripts
root@rooter:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 19491 v3.05 [emoji767] 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....

        Summary Blacklist: 60321 Successful blocks! ( 777 IPs currently banned - 762 added since: May 4 22:16 ), Entries auto-expire after 168:00:00 hrs

(HackerPorts.sh): 19566 v2.02 Hacker Port attacks Report starting.....

Fri May 5 11:14:22 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May  5 10:04:53 - May  5 11:14:22                     
        Top 3 Ports attacked:
        Top 3 attackers:
        Last 3 most recent attackers:
[\code] 






Sent from my ONE A2003 using Tapatalk

Martineau · May 5, 2017

amplatfus said:

Please find below my output and please share your thoughts.

Code:

"root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l
0
root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l
0

OK, I really appreciate you taking the time to assist in debugging.

So 'IPSET_Block.sh init' has executed correctly as clearly it appears it has ensured 12,215 "Block IN=" LOG messages were created (before the manual duplication of the 3 "Block" LOG rules you added!)

Code:

Chain Blacklist (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1    12215 5948K SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2    12215 5948K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "

So could you please assist further by issuing the following and post the output.

Code:

tail /tmp/syslog.log
grep -E "Block.*" /tmp/syslog.log | tail

amplatfus · May 5, 2017

Thanks. Please find below the output step 2:

Code:

ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017
root@rooter:/tmp/home/root# tail /tmp/syslog.log
May  5 12:38:14 kernel: Block IN=ppp0 OUT= MAC= SRC=190.175.29.142 DST=79.115.188.148 LEN=40 TOS=0x14 PREC=0x00 TTL=45 ID=43374 PROTO=TCP SPT=3802 DPT=22 WINDOW=38691 RES=0x00 SYN URGP=0
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:17 dropbear[32579]: Child connection from 10.8.0.2:52705
May  5 12:38:18 dropbear[32579]: Password auth succeeded for 'stoic' from 10.8.0.2:52705
root@rooter:/tmp/home/root# grep -E "Block IN=" /tmp/syslog.log | tail
May  5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May  5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556

Sent from my ONE A2003 using Tapatalk

Martineau · May 5, 2017

amplatfus said:

Thanks. Please find below the output step 2:

Code:

ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017
root@rooter:/tmp/home/root# tail /tmp/syslog.log
May  5 12:38:14 kernel: Block IN=ppp0 OUT= MAC= SRC=190.175.29.142 DST=79.115.188.148 LEN=40 TOS=0x14 PREC=0x00 TTL=45 ID=43374 PROTO=TCP SPT=3802 DPT=22 WINDOW=38691 RES=0x00 SYN URGP=0
May  5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
<snip>

It appears the issue is with parsing the syslog lines on your system.
Unfortunately I don't get a correct report when attempting to parse the lines of Syslog you provided, but this may be simply because of the 3 LOG rules that were temporarily added.

Can you delete rules 5,4 and 3 from the Blacklist chain ?

Code:

iptables --line -nvL Blacklist

Chain Blacklist (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1    12215 5948K SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2    12215 5948K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "
3       39 20165 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "
4       39 20165 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 1 level 4 prefix "Block "
5       38 19589 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 0 level 4 prefix "Block

iptables -D Blacklist 5
iptables -D Blacklist 4
iptables -D Blacklist 3

...then patch LINE:157 in the HackerPorts.sh script: (basically text string \SEQ is replaced by [A-Z] )

Code:

grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" \

change to

grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*[A-Z]" \

and retry the report ?

amplatfus · May 5, 2017

Martineau said:

It appears the issue is with parsing the syslog lines on your system.
Unfortunately I don't get a correct report when attempting to parse the lines of Syslog you provided, but this may be simply because of the 3 LOG rules that were temporarily added.

Can you delete rules 5,4 and 3 from the Blacklist chain ?

Code:

iptables --line -nvL Blacklist

Chain Blacklist (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1    12215 5948K SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set Blacklist src
2    12215 5948K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "
3       39 20165 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "Block "
4       39 20165 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 1 level 4 prefix "Block "
5       38 19589 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 0 level 4 prefix "Block

iptables -D Blacklist 5
iptables -D Blacklist 4
iptables -D Blacklist 3

...then patch LINE:157 in the HackerPorts.sh script: (basically text string \SEQ is replaced by [A-Z] )

Code:

grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" \

change to

grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*[A-Z]" \

and retry the report ?

Yes. I edited line 157 in HackerPorts.sh and deleted d iptables. Here it is:

Code:

root@rooter:/jffs/scripts# iptables -D Blacklist 5
root@rooter:/jffs/scripts# iptables -D Blacklist 4
root@rooter:/jffs/scripts# iptables -D Blacklist 3
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 27736 v2.02 Hacker Port attacks Report starting.....

Fri May 5 15:36:20 DST 2017 Statistics: Total Unique Ports attacked: 1 (out of 429 attempts) tracked using SYSLOG between May  5 15:21:19 - May  5 15:36:20

        Top 10 Ports attacked:
  429 http://www.speedguide.net/port.php?port=67    e.g.  https://dnsquery.org/ipwhois/0.0.0.0

        Top 10 attackers:
    1 https://dnsquery.org/ipwhois/0.0.0.0

        Last 10 most recent attackers:
      https://dnsquery.org/ipwhois/0.0.0.0

Seems to be changed. But get ip 0.0.0.0 [emoji17]

10q

Sent from my ONE A2003 using Tapatalk

Martineau · May 5, 2017

amplatfus said:
(HackerPorts.sh): 27736 v2.02 Hacker Port attacks Report starting.....

Fri May 5 15:36:20 DST 2017 Statistics: Total Unique Ports attacked: 1 (out of 429 attempts) tracked using SYSLOG between May 5 15:21:19 - May 5 15:36:20

Top 10 Ports attacked:
429 http://www.speedguide.net/port.php?port=67 e.g. https://dnsquery.org/ipwhois/0.0.0.0

Top 10 attackers:
1 https://dnsquery.org/ipwhois/0.0.0.0

Last 10 most recent attackers:
https://dnsquery.org/ipwhois/0.0.0.0
[/code]
Seems to be changed. But get ip 0.0.0.0

So finally the report is now actually listing 'attack' attempts!

Unfortunately the simple Regexp patch breaks the script on my RT-AC68U 380.66Beta1

Regexp is always a challenge for me but I'll investigate further.

I did think it was strange that '0.0.0.0' appears a lot on your system to port 67.

If you look at LINE:381 you can see I considered restricting the tracking to only the WAN interface but changed my mind for the public release.

Code:

   # WAN only or ALL interfaces BRx / tun1x etc. ?
   #if [ $WAN_ONLY ];then
    #iptables -I INPUT $RULENO -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist  # WAN only
   #else
    iptables -I INPUT $RULENO                              -m state --state INVALID -j Blacklist  # ALL interfaces
   #fi

Feel free to uncomment/swap the lines to force the tracking of only WAN port blocks, but I suspect the alternative rule will still report 0.0.0.0 unless explicitly excluded.
P.S. I don't see o.o.o.o on my RT-AC68U.

I suggest you leave it for 24hrs to see if your custom patched script eventually reports on ports other than 67 and from external IP addresses.

NOTE: I've also spotted that the top 3 Ports 'attacked' differs when the 'num=nn' is used

Basically LINE:187 in the HackerPorts.sh script: should be reversed

Code:

head -n $TOPX $LOGFILE".tmp" | sort -nr     >> $LOGFILE.new

change to

sort -nr  $LOGFILE".tmp"  | head -n $TOPX >> $LOGFILE.new

Again, many thanks for your patience and time in providing the diagnostics and debugging.

amplatfus · May 5, 2017

I thank you, big one! For me it was a pleasure.
I have a little question: I have the FTP 21 port open.

I have tried to enter wrong password from my mobile LTE connection to FTP many times per minute (in order to block that external IP) and I could still login immediately.

This solution will protect somehow this port even is open?
Thank you!

Sent from my ONE A2003 using Tapatalk

HRearden · May 5, 2017

I think this addition and some of the Trend Micro Network AIprotection may get in each other's way, specifically Malicious Sites Blocking and Vulnerability Protection. At least I get some different error messages when I run the script and have those on. I have had a hard time finding out exactly what and how those work. Does this script attempt to do the same thing? Can they both run?
rearden

How to Dynamically Ban Malicious IP's using IPSet (Martineau version)

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Part of the Furniture

Guest

Senior Member

Part of the Furniture

Part of the Furniture

Part of the Furniture

Guest

Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Senior Member

Part of the Furniture

Senior Member

Occasional Visitor

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest